]>
Commit | Line | Data |
---|---|---|
6f8cda96 | 1 | |
cfcf5004 | 2 | policy_module(courier, 1.5.0) |
6f8cda96 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | courier_domain_template(authdaemon) | |
10 | ||
11 | type courier_etc_t; | |
12 | files_type(courier_etc_t) | |
13 | ||
14 | courier_domain_template(pcp) | |
15 | ||
16 | courier_domain_template(pop) | |
17 | ||
18 | courier_domain_template(tcpd) | |
19 | ||
20 | type courier_var_lib_t; | |
21 | files_type(courier_var_lib_t) | |
22 | ||
23 | type courier_var_run_t; | |
24 | files_pid_file(courier_var_run_t) | |
25 | ||
26 | type courier_exec_t; | |
27 | files_type(courier_exec_t) | |
28 | ||
29 | courier_domain_template(sqwebmail) | |
30 | typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t; | |
31 | ||
32 | ######################################## | |
33 | # | |
34 | # Authdaemon local policy | |
35 | # | |
36 | ||
37 | allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config }; | |
38 | allow courier_authdaemon_t self:unix_stream_socket connectto; | |
39 | ||
40 | can_exec(courier_authdaemon_t, courier_exec_t) | |
41 | ||
42 | allow courier_authdaemon_t courier_tcpd_t:fd use; | |
43 | allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; | |
c0868a7a | 44 | allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_fifo_file_perms; |
6f8cda96 CP |
45 | |
46 | allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; | |
47 | allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms; | |
48 | allow courier_authdaemon_t courier_tcpd_t:process sigchld; | |
49 | allow courier_authdaemon_t courier_tcpd_t:fd use; | |
50 | allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; | |
51 | allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms; | |
52 | ||
8021cb4f | 53 | corecmd_search_bin(courier_authdaemon_t) |
6f8cda96 CP |
54 | |
55 | # for SSP | |
56 | dev_read_urand(courier_authdaemon_t) | |
57 | ||
58 | files_getattr_tmp_dirs(courier_authdaemon_t) | |
59 | ||
60 | auth_domtrans_chk_passwd(courier_authdaemon_t) | |
61 | ||
62 | libs_read_lib_files(courier_authdaemon_t) | |
63 | ||
64 | miscfiles_read_localization(courier_authdaemon_t) | |
65 | ||
66 | # should not be needed! | |
67 | userdom_search_unpriv_users_home_dirs(courier_authdaemon_t) | |
6f8cda96 CP |
68 | |
69 | courier_domtrans_pop(courier_authdaemon_t) | |
70 | ||
e9c6cda7 CP |
71 | sysadm_dontaudit_search_home_dirs(courier_authdaemon_t) |
72 | ||
6f8cda96 CP |
73 | ######################################## |
74 | # | |
75 | # Calendar (PCP) local policy | |
76 | # | |
77 | ||
78 | allow courier_pcp_t self:capability { setuid setgid }; | |
79 | ||
80 | dev_read_rand(courier_pcp_t) | |
81 | ||
82 | ######################################## | |
83 | # | |
84 | # POP3/IMAP local policy | |
85 | # | |
86 | ||
87 | allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms; | |
88 | allow courier_pop_t courier_authdaemon_t:process sigchld; | |
89 | ||
90 | allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; | |
91 | ||
92 | # inherits file handle - should it? | |
93 | allow courier_pop_t courier_var_lib_t:file { read write }; | |
94 | ||
95 | miscfiles_read_localization(courier_pop_t) | |
96 | ||
97 | courier_domtrans_authdaemon(courier_pop_t) | |
98 | ||
99 | # do the actual work (read the Maildir) | |
100 | userdom_manage_unpriv_users_home_content_files(courier_pop_t) | |
101 | # cjp: the fact that this is different for pop vs imap means that | |
102 | # there should probably be a courier_pop_t and courier_imap_t | |
103 | # this should also probably be a separate type too instead of | |
104 | # the regular home dir | |
105 | userdom_manage_unpriv_users_home_content_dirs(courier_pop_t) | |
106 | ||
107 | ######################################## | |
108 | # | |
109 | # TCPd local policy | |
110 | # | |
111 | ||
112 | allow courier_tcpd_t self:capability kill; | |
113 | ||
114 | can_exec(courier_tcpd_t, courier_exec_t) | |
115 | ||
c0868a7a CP |
116 | manage_files_pattern(courier_tcpd_t,courier_var_lib_t,courier_var_lib_t) |
117 | manage_lnk_files_pattern(courier_tcpd_t,courier_var_lib_t,courier_var_lib_t) | |
6f8cda96 CP |
118 | files_search_var_lib(courier_tcpd_t) |
119 | ||
8021cb4f | 120 | corecmd_search_bin(courier_tcpd_t) |
6f8cda96 | 121 | |
141cffdd | 122 | corenet_tcp_bind_all_nodes(courier_tcpd_t) |
6f8cda96 | 123 | corenet_tcp_bind_pop_port(courier_tcpd_t) |
141cffdd | 124 | corenet_sendrecv_pop_server_packets(courier_tcpd_t) |
6f8cda96 CP |
125 | |
126 | # for TLS | |
127 | dev_read_rand(courier_tcpd_t) | |
128 | dev_read_urand(courier_tcpd_t) | |
129 | ||
130 | miscfiles_read_localization(courier_tcpd_t) | |
131 | ||
132 | courier_domtrans_pop(courier_tcpd_t) | |
133 | ||
134 | ######################################## | |
135 | # | |
136 | # Webmail local policy | |
137 | # | |
138 | ||
139 | kernel_read_kernel_sysctls(courier_sqwebmail_t) | |
140 | ||
141 | optional_policy(` | |
142 | cron_system_entry(courier_sqwebmail_t,courier_sqwebmail_exec_t) | |
143 | ') |